The National Federation of Parks and Green Spaces (NFPGS) is the umbrella organisation
representing and amplifying the voices of the movement of over 6,000 local Friends Groups
throughout the UK
Please forward to all contacts..
Does my community organisation need to register / comply with the new General Data Protection Regulation in force after May 25th?
Important guidance for each and every Friends Group (equally relevant to all not-for-profit community and voluntary associations)
There has been a lot of confusion over what – if anything – local community groups might need to do to comply with new data protection regulations (GDPR) coming into force on May 25th 2018. It can be fairly well summed up in two words – Don’t Panic!
I have been regularly in touch with the Information Commissioner’s Office – www.ico.org.uk – for over 6 months on this matter so that we can advise our membership. However, I have been repeatedly told that parliament has not yet fully decided on all the provisions of the new GDPR, particularly the exemptions, but to wait and see by checking the ICO website. The website has been unclear on this issue. More recently, I have been advised that the existing exemptions (see pt 1 below) under the current Data Protection Act are likely to continue. I can now report that on 5th April, when I again spoke with an ICO representative, it seems that enough is now known that guidance relevant to community groups can be forwarded.
Basically small community and not-for-profit organisations will be exempt from the provisions, and will not have to register or pay a fee. However, they will be expected, like everyone else, to be mindful of the spirit and basic principles and responsibilities of data protection and personal privacy, eg to ensure that people on email lists have a chance to unsubscribe, that private data is not misused or passed on to third parties without agreement etc.
DOES YOUR ORGANISATION NEED TO REGISTER OR PAY ANY FEES?
1. This is the relevant clause from the ICO guidance regarding the need to register under the existing Data Protection Act, due to be superceded on May 25th:
Taken from: https://ico.org.uk/for-organisations/register/self-assessment/y/N/Y/Yes/Yes/No
Are you a not-for-profit organisation that qualifies for an exemption?
Answer ‘Yes’ if your organisation was established for not-for-profit making purposes and does not make a profit. Also answer ‘yes’ if your organisation makes a profit for its own purposes, as long as the profit is not used to enrich others. You must:
• only process information necessary to establish or maintain membership or support;
• only process information necessary to provide or administer activities for people who are members of the organisation or have regular contact with it;
• only share the information with people and organisations necessary to carry out the organisation’s activities. Important – if individuals give you permission to share their information, this is OK (you can still answer ‘yes’); and
• only keep the information while the individual is a member or supporter or as long as necessary for member/supporter administration.
2. This is the relevant clause(s) from recent ICO guidance regarding the need to pay a fee (and hence to register) under the new General Data Protection Regulation [GDPR] coming in on May 25th:
Taken from: https://ico.org.uk/media/for-organisations/documents/2258205/dp-fee-guide-for-controllers-20180221.pdf
Re the GDPR coming in on May 25th 2018, in the above document under Section 5 ‘Exemptions’, the following activities are exempt – ie if an organisation only carries out one or more of these personal data-processing activities you will NOT have to notify/register/pay a fee: Staff administration;Advertising, marketing and public relations; Accounts and records;Not-for-profit purposes; Personal, family or household affairs;Maintaining a public register; Judicial functions; Processing personal information without an automated system such as a computer
The document explains ‘not-for-profit purposes’ further [at the bottom of p8. Paragraph 7] – this is the KEY CLAUSE for most community groups!:
A specific exemption applies to bodies or associations that are not established or conducted for profit. However, the exemption applies only if:
· you are only processing data for the purposes of establishing or maintaining membership or support for a body or association not established or conducted for profit, or providing or administering activities for individuals who are members of the body or association or have regular contact with it
· you only hold information about individuals whose data you need to process for this exempt purpose
· the personal data you process is restricted to personal information that is necessary for this exempt purpose
If yes to all, a data protection fee [and registration] is not due
This is the best information I have been able to identify at this stage. If in any doubt, or you want to know more, please read the above ICO document yourself!
best wishes
Dave Morris
Chair, NFPGS
Ok, so does this mean… that we don’t have to worry if we have a mailing list in a membership-tracking-package and another mailiing list in Mailchimp? Or can we only have one mailing list? Are things ok if each mailing list is backed up and password protected?